### 8 breaking releases

0.9.0 | Apr 3, 2024 |
---|---|

0.8.0 | Feb 5, 2024 |

0.7.0 | Dec 12, 2023 |

0.6.0 | Oct 24, 2023 |

0.1.0 | Dec 1, 2022 |

#**206** in Cryptography

**6,501** downloads per month

Used in **5** crates

**MIT/Apache**

1.5MB

**36K**
SLoC

# decaf377

Many zero-knowledge protocols require a cryptographic group that can be used inside of an arithmetic circuit. This is accomplished by defining an “embedded” elliptic curve whose base field is the scalar field of the proving curve used by the proof system.

The Zexe paper, which defined BLS12-377, also defined (but did not name) a cofactor-4 Edwards curve defined over the BLS12-377 scalar field for exactly this purpose. However, non-prime-order groups are a leaky abstraction, forcing all downstream constructions to pay attention to correct handling of the cofactor. Although it is usually possible to do so safely, it requires additional care, and as discussed below, the optimal technique for handling the cofactor is different inside and outside of a circuit.

Instead, applying the Decaf construction to this curve gives decaf377, a clean abstraction that provides a prime-order group, complete with hash-to-group functionality, and works the same way inside and outside of a circuit.

More details are available on the Penumbra website.

## Features

: default, for use in`std`

environments,`std`

: default, for use in`alloc`

environments,`alloc`

: default, uses Arkworks crates for elliptic curve operations,`arkworks`

: uses 32-bit finite field arithmetic (default is 64-bit),`u32_backend`

: enables rank-1 constraint system gadgets,`r1cs`

: enables the use of parallelism.`parallel`

## Benchmarks

Run

benchmarks using:`criterion`

`cargo`` bench`

This will generate a report at

.`target/criterion/report/index.html`

#### Dependencies

~0.1–1.8MB

~33K SLoC